Penetration Testing mailing list archives
Re: Remote File Include Vulns (Are you testing for it, are you teaching it)
From: Tim <tim-pentest () sentinelchicken org>
Date: Mon, 16 Oct 2006 14:43:11 -0400
Hi Joseph,
I'm curious how many auditors are 1) testing for this stuff in your audits. Tons of blog, forum, and wiki packages have these vulns - are you guys testing for this stuff, and more importantly are you finding it vuln in your audits?
No, I haven't found this in any of my audits, because none of my clients use PHP.
Next question is for trainers, how much time are you spending on this stuff in your web application security classes. Currently I'm spending a
No, I haven't really included this in training... I recommend people instead use a different language. But, as I mentioned above, none of the clients I've given training to use PHP. Seriously though, this whole remote file include issue would be non-existant if the PHP developers took a minute to think about the need for such an idiotic feature. Yet this category of vulnerability has scored as one of the most numerous reported to the CVE. That's just disgusting. How many other blatantly unsafe features have made it into PHP now, with that kind of development oversight? I'm a big fan of open source, and I used to code in PHP to pay the bills, so don't take my criticism as a LAMP vs .NET argument. I just recommend the P in LAMP to be something other than PHP. It's kinda cold out today, so let the flames begin, tim ------------------------------------------------------------------------ This List Sponsored by: Cenzic Need to secure your web apps? Cenzic Hailstorm finds vulnerabilities fast. Click the link to buy it, try it or download Hailstorm for FREE. http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW ------------------------------------------------------------------------
Current thread:
- Remote File Include Vulns (Are you testing for it, are you teaching it) Joseph McCray (Oct 16)
- Re: Remote File Include Vulns (Are you testing for it, are you teaching it) Tim (Oct 16)
- Re: Remote File Include Vulns (Are you testing for it, are you teaching it) espen (Oct 16)
- Re: Remote File Include Vulns (Are you testing for it, are you teaching it) Gareth Davies (Oct 17)